Securing Java API for XML processing (JAXP) against malformed input

If your application takes untrusted XML, XSD or XSL files as input, you can enforce specific limits during JAXP processing to protect your application from malformed data. If you specify limits, you must override the default XML parser configuration with a custom configuration.

About this task

To protect your application from malformed data, you can enforce specific limits during JAXP processing. These limits can be set in your jaxp.properties file, or by specifying various system properties on the command line. However, for these limits to take effect you must also override the default XML parser configuration with a custom configuration that allows these secure processing limits.

Note: The IBM XML implementation is deprecated in IBM® SDK, Java™ Technology Edition, Version 8 and will be replaced by the Oracle XML implementation in a future release.

Procedure

  1. Select the limits that you want to set for your application.
  2. To override the default XML parser configuration, set the custom configuration by specifying the following system property on the command line: -Dorg.apache.xerces.xni.parser.XMLParserConfiguration=config_file, where config_file is org.apache.xerces.parsers.SecureProcessingConfiguration. For more information about the full override mechanism, see http://xerces.apache.org/xerces2-j/faq-xni.html#faq-2.